Merge pull request 'Adds user list in variable docker_users to docker group' (#5 ) from bugfix/docker-users-group into master

Reviewed-on: #5
Adds user list in variable docker_users to docker group
2023-12-11 19:14:05 +01:00 · 2023-12-11 19:13:31 +01:00 · 2023-12-11 18:37:12 +01:00 · 2023-12-11 18:36:27 +01:00 · 2023-12-10 15:31:44 +01:00 · 2023-12-10 15:30:25 +01:00
6 changed files with 71 additions and 10 deletions
--- a/README.md
+++ b/README.md
@ -30,6 +30,8 @@ ensure_ansible_version: 2.10.3
 enable_sudo: yes
 # Allow passwordless sudo (applied to group wheel)
 enable_passwordless_sudo: yes
+# Skip provisioning of the firewall
+skip_firewall: no
 ```

 Dependencies
@ -41,7 +43,8 @@ Example Playbook
 License
 -------

-MIT
+- BSD-3-Clause
+- MIT

 Author Information
 ------------------
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -17,4 +17,11 @@ ensure_ansible_version: 2.10.3
 # Allow sudo with a password (applied to group sudo)
 enable_sudo: yes
 # Allow passwordless sudo (applied to group wheel)
-enable_passwordless_sudo: yes
+enable_passwordless_sudo: yes
+# Allow root to connect through SSH
+enable_ssh_for_root: yes
+# Allow root to connect only using public key authentication, no password
+enable_ssh_for_root_prohibit_password: no
+# Skip provisioning of the firewall
+skip_firewall: no
+authorized_keys_are_exclusive: false # Be careful, this will delete non-Ansible-managed authorized keys from the target!
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -1,2 +1,7 @@
 ---
-# handlers file for common
+# handlers file for common
+- name: Restart SSH
+  ansible.builtin.service:
+    name: ssh
+    state: restarted
+  become: true
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,7 +1,7 @@
 galaxy_info:
-  author: your name
-  description: your description
-  company: your company (optional)
+  author: jotbe
+  description: Common packages and configuration
+  company: ""

  # If the issue tracker for your role is not on github, uncomment the
  # next line and provide a value
@ -14,7 +14,9 @@ galaxy_info:
  # - GPL-3.0-only
  # - Apache-2.0
  # - CC-BY-4.0
-  license: license (GPL-2.0-or-later, MIT, etc)
+  license:
+    - BSD-3-Clause
+    - MIT

  min_ansible_version: 2.4

--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -12,10 +12,13 @@
  import_role:
    name: geerlingguy.firewall
  tags: firewall
+  when: not skip_firewall

 - include: locales-debian.yml
  become: true
-  when: ansible_facts['os_family'] == 'Debian'
+  when:
+    - ansible_facts['os_family'] == 'Debian'
+    - not ansible_is_chroot

 - include: users.yml
  become: true
--- a/tasks/users.yml
+++ b/tasks/users.yml
@ -11,6 +11,14 @@
    groups: users
  with_items: "{{ users }}"

+- name: 'Add docker users'
+  user:
+    name: "{{ item }}"
+    groups: docker
+    append: yes
+  with_items: "{{ docker_users }}"
+  when: docker_users | count
+
 - block:
    - name: 'Ensure that sudo group is existing'
      group:
@ -44,8 +52,9 @@
    user: "{{ item }}"
    state: present
    key: "{{ lookup('file', 'public_keys/id_{{ item }}.pub') }}"
+    exclusive: "{{ authorized_keys_are_exclusive | bool }}"
  with_items: "{{ users }}"
-  ignore_errors: yes
+  ignore_errors: true

 - block:
    - name: 'Ensure that wheel group is existing'
@ -71,6 +80,38 @@
        files:
          - /etc/sudoers
          - /usr/local/etc/sudoers # e.g. FreeBSD
+
+    - name: 'Disable SSH for root'
+      lineinfile:
+        dest: "/etc/ssh/sshd_config"
+        state: present
+        regexp: '^#?\s*PermitRootLogin'
+        line: 'PermitRootLogin No'
+      notify: Restart SSH
+      when:
+        - enable_ssh_for_root | bool == false
+    
+    - name: 'Enable SSH for root through password or key'
+      lineinfile:
+        dest: "/etc/ssh/sshd_config"
+        state: present
+        regexp: '^#?\s*PermitRootLogin'
+        line: 'PermitRootLogin Yes'
+      notify: Restart SSH
+      when:
+        - enable_ssh_for_root | bool == true
+        - enable_ssh_for_root_prohibit_password | bool == false
+    
+    - name: 'Enable SSH for root through key only'
+      lineinfile:
+        dest: "/etc/ssh/sshd_config"
+        state: present
+        regexp: '^#?\s*PermitRootLogin'
+        line: 'PermitRootLogin prohibit-password'
+      notify: Restart SSH
+      when:
+        - enable_ssh_for_root | bool == true
+        - enable_ssh_for_root_prohibit_password | bool == true
  when:
    - enable_sudo
    - enable_passwordless_sudo
@ -82,4 +123,4 @@
    mode: 0644
    owner: "{{ item }}"
    group: "{{ item }}"
-  with_items: "{{ users }}"
+  with_items: "{{ users }}"
Author	SHA1	Message	Date
Jan Beilicke	c0059510d8	Merge pull request 'Adds user list in variable docker_users to docker group' (#5 ) from bugfix/docker-users-group into master Reviewed-on: #5	2023-12-11 19:14:05 +01:00
Jan Beilicke	3bbc6bb2cf	Adds user list in variable docker_users to docker group	2023-12-11 19:13:31 +01:00
Jan Beilicke	b79bd4d2d7	Merge pull request 'Disables SSH access for root on demand' (#4 ) from feature/disable-ssh-for-root into master Reviewed-on: #4	2023-12-11 18:37:12 +01:00
Jan Beilicke	177ba579e9	Disables SSH access for root on demand	2023-12-11 18:36:27 +01:00
Jan Beilicke	a550c49dec	Merge pull request 'Adds option to make authorized_keys exclusive (default: false)' (#3 ) from feature/exclusive-authorized-keys into master Reviewed-on: #3	2023-12-10 15:31:44 +01:00
Jan Beilicke	ef9cfb8ced	Adds option to make authorized_keys exclusive (default: false)	2023-12-10 15:30:25 +01:00
Jan Beilicke	0a845c7097	Fixes merge conflicts	2023-12-10 15:30:14 +01:00
Jan Beilicke	0eb60eb187	Do not set locales if in chroot environment (localectl not supported in chroot)	2022-04-04 22:05:35 +02:00
Jan Beilicke	1cbbba0dea	Allows to skip provisioning of the firewall	2022-04-04 21:31:45 +02:00
Jan Beilicke	2f9c04c49f	Adds some meta information	2022-03-28 21:57:31 +02:00